Last updated: 2026-03-12
This Privacy Policy governs the processing of personal data carried out by Syncra Agency (hereinafter, "Syncra"), in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Spanish Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD), and all other applicable data protection regulations.
The data controller for your personal data is Syncra Agency, with registered office in Barcelona, Spain. You can contact us at: privacy@syncra.agency. For any matter related to data protection, you may contact our Data Protection Officer (DPO) at the same email address.
We collect the following categories of personal data: (a) Identification data: name, surname, email address, company name, job title, phone number (optional). (b) Access data: account credentials (password encrypted with bcrypt), OAuth tokens from connected platforms (encrypted with AES-256-GCM), login records (IP, date, device). (c) Marketing platform data: performance metrics, campaign analytics, audience and engagement data from platforms you voluntarily connect (Instagram, Facebook, Google Ads, TikTok, LinkedIn, Pinterest, Twitter/X, Mailchimp). These are aggregated metrics from your business accounts, not end-user data. (d) Billing data: processed by Stripe Inc. as a data processor; Syncra only stores the Stripe customer identifier and subscription status, never credit card data. (e) Usage data: pages visited, features used, AI chatbot interactions, session frequency and duration. (f) Technical data: IP address, browser type, operating system, preferred language, timezone.
We process your data for the following purposes: (a) Contractual performance (Art. 6.1.b GDPR): providing the contracted service, including marketing metrics aggregation, report generation and AI analysis, account management and payment processing. (b) Legitimate interest (Art. 6.1.f GDPR): continuous platform improvement, fraud detection and prevention, IT security, technical support and essential service communications. (c) Consent (Art. 6.1.a GDPR): commercial communications and newsletters (when expressly requested), non-essential cookies, and processing of your content by generative AI models. (d) Legal compliance (Art. 6.1.c GDPR): tax, accounting and document retention obligations under Spanish law.
Syncra uses artificial intelligence models (provided by Anthropic, PBC) to generate analysis, marketing recommendations and content. AI processing involves: your marketing campaign data is sent to the AI provider as a 'data processor' under a Data Processing Agreement (DPA). The models do not train on your data; it is processed exclusively to generate real-time responses. You can opt out of AI features without affecting the core data aggregation functionalities. All prompts are sanitized to remove personally identifiable data before being sent to the model.
Your data may be shared with the following third parties, exclusively for the stated purposes: (a) Stripe Inc. (USA) — payment processing, under Standard Contractual Clauses (SCCs) approved by the European Commission and the EU-US Data Privacy Framework. (b) Anthropic, PBC (USA) — AI processing, under SCCs and active DPA. (c) Supabase Inc. (USA/EU) — authentication and storage, with EU servers available. (d) Pinecone Systems Inc. (USA) — vector storage for semantic search features, under SCCs. (e) Resend Inc. / Google LLC (USA) — transactional email delivery, under SCCs. (f) Cloudflare Inc. (global) — CDN and security services. We do not sell, rent or share your data with third parties for their own commercial purposes. All international transfers are carried out with the appropriate safeguards required by Articles 44-49 of the GDPR.
We retain your data for the following periods: (a) Account data: for as long as your account is active and for 30 calendar days after a deletion request. (b) Billing data: 5 years after the last transaction, in accordance with Art. 30 of the Spanish Commercial Code and Art. 70 of the General Tax Law. (c) Marketing platform data: while integrations remain connected; deleted within 7 days after disconnection. (d) Usage and analytics data: 24 months from collection, in anonymized form. (e) Security logs (access logs): 12 months in accordance with the LSSI-CE. Once these periods expire, data is securely deleted or irreversibly anonymized.
In accordance with the GDPR and LOPD-GDD, you have the following rights: (a) Right of access (Art. 15 GDPR): obtain confirmation of whether we process your data and access it. (b) Right to rectification (Art. 16 GDPR): correct inaccurate data or complete incomplete data. (c) Right to erasure (Art. 17 GDPR): request deletion of your data when no longer necessary. (d) Right to restriction (Art. 18 GDPR): request restriction of processing in certain circumstances. (e) Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format (JSON/CSV). (f) Right to object (Art. 21 GDPR): object to processing based on legitimate interest or direct marketing. (g) Right not to be subject to automated decisions (Art. 22 GDPR): AI analyses are recommendations; no automated decision produces legal effects on you. (h) Right to digital erasure (Art. 93 LOPD-GDD): request deletion of your data in search engines. You can exercise these rights by sending an email to privacy@syncra.agency with a copy of your ID. We will respond within a maximum of 30 days.
We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS 1.3) and at rest (AES-256), OAuth tokens encrypted with AES-256-GCM and unique IVs, passwords hashed with bcrypt (factor 12), two-factor authentication (TOTP) available, role-based access control (RBAC), data access audit logs, encrypted backups with 30-day retention, periodic security reviews and penetration testing. Our production servers are located in data centers with ISO 27001 certifications within the European Union.
We use cookies and tracking technologies in accordance with our Cookie Policy (available at /cookies). For more information about which cookies we use, their purpose and how to manage them, please refer to that policy. In all cases, analytical and advertising cookies are only activated with your prior consent.
Syncra is a B2B service aimed at marketing professionals and businesses. We do not knowingly collect data from minors under 16 years of age (or the age established by the national legislation of the Member State). If we discover that we have collected data from a minor without the consent of their legal representative, we will delete it immediately.
When you connect your social media accounts (Instagram, Facebook, TikTok, LinkedIn, etc.) to Syncra, we only access the data authorized by the permission scopes you approve during the OAuth process. We do not publish content on your networks without your explicit consent. Third-party metrics data is subject to the privacy policies of each platform. You can disconnect any integration at any time from your account settings; upon doing so, we will delete the associated data within 7 days.
When you connect your Instagram Professional or Facebook Page account and grant the instagram_business_manage_messages permission, Syncra accesses your Instagram Direct Message and Facebook Messenger conversations. Specifically, we collect: (a) Conversation metadata: participant identifiers, timestamps, conversation thread IDs. (b) Message content: text messages and media attachment references exchanged between your business account and your customers. (c) Sender information: participant names and profile identifiers. This data is stored encrypted (AES-256-GCM) in our database, scoped to your organization. Only authenticated team members within the same organization can view or respond to messages. We use this data solely to: display conversations in our unified inbox interface, enable you to reply to customer messages from within Syncra, and provide AI-powered reply suggestions (optional). We do NOT use message data for advertising, profiling, or any purpose other than providing the inbox functionality. Message data is retained while your account is active and deleted within 7 days of disconnecting the integration. You can request immediate data deletion at any time by contacting privacy@syncra.agency or using the data deletion feature in your account settings. When a user removes our app from their Facebook or Instagram settings, we receive a data deletion callback and automatically purge all associated message data.
We will send you transactional communications necessary for service delivery (account confirmations, security alerts, publication reminders). For commercial communications (newsletters, product updates), we will request your express consent, which you can revoke at any time via the unsubscribe link in each email or from your account settings.
We reserve the right to update this Privacy Policy to reflect changes in our practices or applicable legislation. We will publish the updated version on this page with the date of the last modification. If changes are material, we will notify you by email or through a notice on the platform at least 30 days before they take effect.
Without prejudice to any other administrative remedy or judicial action, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es, C/ Jorge Juan 6, 28001 Madrid. If you are in Catalonia, you may also contact the Catalan Data Protection Authority (APDCAT): www.apdcat.gencat.cat.
For any inquiries regarding this Privacy Policy or the exercise of your rights, you can contact us at: Email: privacy@syncra.agency. Syncra Agency, Barcelona, Spain. We will respond to your request within the legal period of 30 days.